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Abstract 

Rabi and Sherman [RS97,RS93] proved that the hardness of factoring is a sufficient 
condition for there to exist one-way functions (i.e., p-time computable, honest, p-time non- 
invertible functions; this paper is in the worst-case model, not the average-case model) that 
are total, commutative, and associative but not strongly noninvertible. In this paper we 
improve the sufficient condition to P ^ NP. 

More generally, in this paper we completely characterize which types of one-way func¬ 
tions stand or fall together with (plain) one-way functions—equivalently, stand or fall to¬ 
gether with P ^ NP. We look at the four attributes used in Rabi and Sherman’s sem¬ 
inal work on algebraic properties of one-way functions (see [RS97,RS93]) and subsequent 
papers—strongness (of noninvertibility), totality, commutativity, and associativity—and for 
each attribute, we allow it to be required to hold, required to fail, or “don’t care.” In this 
categorization there are 3 4 = 81 potential types of one-way functions. We prove that each 
of these 81 feature-laden types stand or fall together with the existence of (plain) one-way 
functions. 

Key words: computational complexity, worst-case one-way functions, associativity, 
commutativity, strong noninvertibility. 



1 Introduction 


1.1 Motivation 

In this paper, we study properties of one-way functions, i.e., properties of functions that 
are easy to compute, but hard to invert. One-way functions are important cryptographic 
primitives and are the key building blocks in many cryptographic protocols. Various models 
to capture “noninvertibility” and, depending on the model used, various candidates for 
one-way functions have been proposed. The notion of noninvertibility is usually based on 
the average-case (where the “average-case” refers to the difficulty of inversion) complexity 
model (see, e.g., the book [GolOl] and the references therein) in cryptographic applications, 
whereas noninvertibility for complexity-theoretic one-way functions is usually defined in the 
worst-case model (see the definitions of this paper). Though the average-case model is very 
important, we note that even the challenge of showing that any type of one-way function 
exists in the “less challenging” worst-case model remains an open issue after many years 
of research. It is thus natural to wonder, as a first step, what assumptions are needed to 
create various types of complexity-theoretic one-way functions. In this paper, we seek to 
characterize this existence issue in terms of class separations. (In addition, we mention that 
the seminal work on associativity, commutativity, and strong noninvertibility of one-way 
functions, which was done by Rabi and Sherman [RS93,RS97] who also proposed concrete 
protocols to be based on such one-way functions, is itself in the worst-case model.) 

Complexity-theoretic one-way functions of various sorts, and related notions, were stud¬ 
ied early on by, for example, Berman [Ber77], Brassard, Fortune, and Hopcroft [BFH78, 
Bra79], Ko [Ko85], and especially Grollmann and Selman [GS88], and have been much in¬ 
vestigated ever since; see, e.g., [AR88,Wat88,Wat89,HH91,Sel92,RS93,Gra94,HRW97,RS97, 
HR99,BHHR99,HR00,RH02,FFNR03,HT03,Hom04,HPR06]. The four properties of one¬ 
way functions to be investigated in this paper are strongness, totality, commutativity, and 
associativity. Intuitively, strong noninvertibility—a notion proposed by Rabi and Sher¬ 
man [RS97,RS93] and more recently studied in [HR99,Hom04,HPR06]—means that for a 
two-ary function, given some function value and one of the corresponding arguments, it is 
hard to determine the other argument. It has been known for decades that one-way func¬ 
tions exist if and only if P ^ NP. But the Rabi-Sherman paper brought out the natural 
issue of trying to understand what complexity-theoretic assumptions characterized the ex¬ 
istence of one-way functions with certain algebraic properties. Eventually, Hemaspaandra 
and Rothe [HR99] proved that strong, total, commutative, associative one-way functions 
exist if and only if P ^ NP. (As mentioned earlier, one-way functions with these proper¬ 
ties are the key building blocks in Rabi, Rivest, and Sherman’s cryptographic protocols for 
secret-key agreement and for digital signatures (see [RS97,RS93]).) The surprising work of 
Homan [Hom04] both strengthens the results of Rabi and Sherman on the ambiguity that 
must be present in total, associative functions and proves that if one-to-one one-way func¬ 
tions exist, then there exist strong, total, associative one-way functions having relatively 
low ambiguity. 

This paper provides a detailed study of the four properties of one-way functions men- 
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tioned above. For each possible combination of possessing, not possessing, and being obliv¬ 
ious to possession of the property, we study the question of whether such one-way functions 
can exist. Why should one be interested in knowing if a one-way function possesses “neg¬ 
ative” properties, such as noncommutativity? On one hand, negative properties can also 
have useful applications. For example, Saxena, Soh, and Zantidis [SS05,SSZ05] propose 
authentication protocols for mobile agents and digital cash with signature chaining that use 
as their key building blocks strong, associative one-way functions for which commutativity 
in fact is a disadvantage—though they need commutativity to not merely fail but to fail far 
more often than is achieved in the failure constructions of the present paper. More gener¬ 
ally and more importantly, given that complexity-theoretic one-way functions have already 
been studied for decades (see the citations above, going as far back as the 1970s), it seems 
natural to try to understand and catalog which types of one-way functions are created by, 
for example, simply assuming P ^ NP. This paper does that completely with respect to 
strongness, totality, commutativity, and associativity. 

1.2 Summary of Our Results 

This paper is organized as follows. In Sections 2 and 3, we formally define the notions and 
notation used, and we provide some basic lemmas that allow us to drastically reduce the 
number of cases we have to consider. We will state the full definitions later, but stated 
merely intuitively, a function is said to be strongly noninvertible if given the output and 
one argument one cannot efficiently find a corresponding other argument; and a function is 
said to be strong if it is polynomial-time computable, strongly noninvertible, and satisfies 
the natural honesty condition related to strong noninvertibility (so-called s-honesty). In 
Section 4, we prove that the condition P / NP characterizes all 27 cases induced by one¬ 
way functions that are strong. As a corollary, we also obtain aP / NP characterization of 
all 27 cases where one requires one-way-ness but is oblivious to whether or not the functions 
are strong. In Section 5, we consider functions that are required to be one-way but to not 
be strong. We show that P ^ NP characterizes all of these 27 cases. Thus, P ^ NP 
characterizes all 81 cases overall. 

Table 1 summarizes the support for our results for the 16 key cases in which each of 
the four properties considered is either enforced or defied. 1 Definition 2.4 provides the 
classification scheme used in this table. The left column of Table 1 has 16 quadruples of the 
form ( s,t,c,a ), where s regards “strong,”, t. means “total,” c means “commutative,” and 
a means “associative.” The variables s, t, c, and a take on a value from {Y, N}, where Y 
means presence (i.e., “yes”), and N means absence (i.e., “no”) of the given property. The 
center column of Table 1 states the conditions characterizing the existence of (s, t, c, a )- 
OWFs, and the right column of Table 1 gives the references to the proofs of the results 
stated. 

1 In light of the forthcoming Lemma 3.2, those cases in which one is oblivious to whether some property 
holds follow immediately from the cases stated in Table 1. 
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Properties 
{s,t,c, a) 

P ^ NP characterization for 
this case is established by 

(N, N, N, N) 
(N,N,N, Y) 
(N,N, Y,N) 
(N,N, Y, Y) 

Lemma 5.2 + Lemma 3.4 

Lemma 5.5 + Lemma 3.4 

Lemma 5.1 + Lemma 3.4 

Lemma 5.5 + Lemma 3.4 

(N, Y,N,N) 
(N, Y,N, Y) 
(N, Y, Y,N) 
(N,Y,Y,Y) 

[HPR06]; see Lemma 5.2 

Lemma 5.5 

Lemma 5.1 

Lemma 5.5 

(Y, N, N, N) 
(Y,N,N, Y) 
(Y,N, Y,N) 
(Y,N, Y, Y) 

Lemma 4.5 + Lemma 3.4 

Lemma 4.4 + Lemma 3.4 

Lemma 4.3 + Lemma 3.4 

Lemma 4.2 + Lemma 3.4 

(Y,Y,N,N) 
(Y,Y,N,Y) 
(Y,Y,Y,N) 
(Y, Y, Y, Y) 

Lemma 4.5 

Lemma 4.4 

Lemma 4.3 

[HR99], here restated as Lemma 4.2 


Table 1: Summary of support for the 16 key cases 


1.3 General Proof Strategy 

We do not attempt to brute-force all 81 cases. Rather, we seek to turn the cases’ structure 
and connectedness against themselves. So, in Section 3 we will reduce the 81 cases to 
their 16 key cases that do not contain “don’t care” conditions. Then, also in Section 3, we 
will show how to derive the nontotal cases from the total cases, thus further reducing our 
problem to 8 key cases. 

As Corollary 4.6 and, especially, much of Section 5 will show, even among the 8 key 
cases we share attacks, and find and exploit implications. 

Thus, the proof in general consists both of specific constructions—concrete realizations 
forcing given patterns of properties—and the framework that minimizes the number of such 
constructions needed. 

2 Preliminaries and Notations 

Fix the alphabet £ = {0,1}. The set of strings over £ is denoted by £*. Let e denote 
the empty string. Let £ + = £* — {e}. For any string x € £*, let \x\ denote the length 
of x. Let (-, •) : £* x £* —> £* be some standard pairing function, that is, some total, 
polynomial-time computable bijection that has polynomial-time computable inverses and is 
nondecreasing in each argument when the other argument is fixed. Let FP denote the class 
of polynomial-time computable functions (this includes both total and nontotal functions). 
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This paper focuses completely on mappings from X* x X* to X* (they are allowed to be 
many-to-one and they are allowed to be nontotal, i.e., they may map many distinct pairs 
of strings from X* x X* to one and the same string in X*, and they need not be defined 
for all pairs in X* x X*). (The study of 2-argument one-way functions of course is needed 
if associativity and commutativity are to be studied.) For each function /, let domain(/) 
denote the set of input pairs on which / is defined, and denote the image of / by image(/). 

Definition 2.1 presents the standard notion of a (complexity-theoretic, many-one) one¬ 
way function, suitably tailored to the case of two-ary functions in the standard way; 
see [RS93,RS97,HR99,Hom04,HPR06]. (For general introductions to or surveys on one¬ 
way functions, see [Sel92], [BHHR99], and [HO02, Chapter 2]. For general background on 
complexity see, e.g., [HO02,BC93].) Our one-way functions are based on noninvertibility in 
the worst-case model, as opposed to noninvertibility in the average-case model that is more 
appealing for cryptographic applications. The notion of honesty in Definition 2.1 below is 
needed in order to preclude functions from being noninvertible simply due to the trivial 
reason that some family of images lacks polynomially short preimages. 

Definition 2.1 (One-Way Function) Let a be a function (it may be either total or 
nontotal) mapping from X* x X* to X*. 

1. We say a is honest if and only if there exists a polynomial p such that for each 
z £ image(<r), there exists a pair (x,y) £ domain (<r) such that a(x,y) = z and 

\x\ + \y\ < p( M)- 

2. We say a is (polynomial-time) noninvertible if and only if there exists no function f 
in FP such that for all z £ image(cr), we have a(f(z)) = z. 

3. We say a is a one-way function if and only if a is polynomial-time computable, honest, 
and noninvertible. 

The four properties of one-way functions that we will study in this paper are strongness, 
totality, commutativity, and associativity. A function a mapping from X* x X* to X* is said 
to be total if and only if a is defined for each pair in X* x X*, and is said to be nontotal 
if it is not total. We say that a function is partial if it is either total or nontotal; this says 
nothing, but makes it clear that we are not demanding that the function be total. 

We now define the remaining three properties. Rabi, Rivest, and Sherman (see [RS97, 
RS93]) introduced the notion of strongly noninvertible associative one-way functions (strong 
AOWFs, for short). Rivest and Sherman (as attributed in [RS97,RS93]) designed crypto¬ 
graphic protocols for two-party secret-key agreement and Rabi and Sherman designed cryp¬ 
tographic protocols for digital signatures, both of which need strong, total AOWFs as their 
key building blocks. They also sketch protocols for multiparty secret-key agreement that re¬ 
quired strong, total, commutative AOWFs. Strong (and sometimes total and commutative) 
AOWFs have been intensely studied in [HR99,BHHR99,Hom04,HPR06]. 

Though Rabi and Sherman’s [RS97] notion of associativity is meaningful for total func¬ 
tions, it is not meaningful for nontotal two-ary functions, as has been noted and discussed 
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in [HR99]. Thus, we here follow Hemaspaandra and Rothe’s [HR99] notion of associativity, 
which is appropriate for both total and nontotal two-ary functions, and is designed as an 
analog to Kleene’s 1952 [Kle52] notion of complete equality of partial functions. 

Definition 2.2 (Associativity and Commutativity) Let a be any partial function 
mapping from X* x X* to X*. Extend X* by T = X* U {_L} ; where _L is a special symbol 
indicating, in the usage “a(x,y) = T,” that a is not defined for the pair (x,y). Define an 
extension a of a, which maps from T xT to T, as follows: 


(2.1) d{x,y) 


a(x,y) if x -L and y _L and (x,y) G domain(cr) 
_!_ otherwise. 


1. We say a is associative if and only if for each x,y,z € X*, a(c t(x, y),z ) = a(x, a(y, z)). 

2. We say a is commutative if and only if for each x,y G X*, a(x,y) = a(y,x). 

Informally speaking, strong noninvertibility (see [RS97,RS93]) means that even if a func¬ 
tion value and one of the corresponding two arguments are given, it is hard to compute the 
other argument. It is known that, unless P = NP, some noninvertible functions are not 
strongly noninvertible [HPR06]. And, perhaps counterintuitively, it is known that, unless 
P = NP, some strongly noninvertible functions are not noninvertible [HPR06]. That is, un¬ 
less P = NP, strong noninvertibility does not imply noninvertibility. Strong noninvertibility 
requires a variation of honesty that is dubbed s-honesty in [HPR06]. The notion defined 
now, as “strong (function)” in Definition 2.3, is in the literature typically called a “strong 
one-way function.” This is quite natural. However, to avoid any possibility of confusion 
as to when we refer to that and when we refer to the notion of a “one-way function” (see 
Definition 2.1; as will be mentioned later, neither of these notions necessarily implies the 
other), we will throughout this paper simply call the notion below “strong” or “a strong 
function,” rather than “strong one-way function.” 

Definition 2.3 (Strong Function) Let a be any partial function mapping from X* xX* 
to X*. 

1. We say a is s-honest if and only if there exists a polynomial p such that the following 
two conditions are true: 


(a) For each x, z G X* with cr(x,y) = z for some y G X*, there exists some string 

y G X* such that a(x, y) = z and \y\ < p(\x\ + \z\). 

(b) For each y,z G X* with a(x,y) = z for some x G X* ; there exists some string 

x G X* such that cr(x,y) = z and |.x| <p(|y| + \z\). 

2. We say a is (polynomial-time) invertible with respect to the first argument if and 
only if there exists an inverter g\ G FP such that for every string z G image(cr) and 
for all x,y G X* with (x, y) G domain(<r) and a(x, y ) = z, 

a(x,gi{{x,z))) = z. 
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3. We say a is (polynomial-time) invertible with respect to the second argument if and 
only if there exists an inverter g 2 £ FP such that for every string z £ image (a) and 
for all x,y £ £* with (x, y) £ domain(a) and a(x, y) = z, 

°(92((y,z)),y) = z. 

4■ We say a is strongly noninvertible if and only if a is neither invertible with respect 
to the first argument nor invertible with respect to the second argument. 

5. We say a is strong if and only if a is polynomial-time computable, s-honest, and 
strongly noninvertible. 

In this paper, we will look at the 3 4 = 81 categories of one-way functions that one can 
get by requiring the properties strong/total/commutative/associative to either: hold, fail, 
or “don’t care.” For each, we will try to characterize whether such one-way functions exist. 

We now define a classification scheme suitable to capture all possible combinations of 
these four properties of one-way functions. 

Definition 2.4 (Classification Scheme for One-Way Functions) For each 

s,t,c,a £ {Y, N, *}, we say that a partial function a : E* x X* —*• E* is an ( s,t,c,a ) 
one-way function (an (s,f,c,o)-OWF, for short) if and only if all the following hold: a is a 
one-way function, if s = Y then a is strong, if s = N then a is not strong, if t = Y then a 
is a total function, iff, = N then a is a nontotal function, if c = Y then a is a commutative 
function, if c = N then a is a noncommutative function, if a = Y then a is an associative 
function, and if a = N then a is a nonassociative function. 

For example, a function is a (Y, Y, Y, Y)-OWF exactly if it is a strong, total, commuta¬ 
tive, associative one-way function. And note that, under this definition, whenever a setting 
is *, we don’t place any restriction as to whether the corresponding property holds or fails to 
hold—that is, * is a “don’t care” designator. For example, a function is a (*, Y, *, *)-OWF 
exactly if it is a total one-way function. Of course, all (Y, Y, Y, Y)-OWFs are (*,Y, *,*)- 
OWFs. That is, our 81 classes do not seek to partition, but rather to allow all possible 
simultaneous settings and “don’t care”s for these four properties. However, the 16 such 
classes with no stars are certainly pairwise disjoint. 

3 Groundwork: Reducing the Cases 

In this section, we show how to tackle our ultimate goal, stated as Goal 3.1 below, by 
drastically reducing the number of cases that are relevant among the 81 possible cases. 

Goal 3.1 For each s,t,c,a £ {Y, N, *} ; characterize the existence of (s,t,c, a) -OWFs in 
terms of some suitable complexity-theoretic condition. 
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Since * is a “don’t care,” for a given * position the characterization that holds with that 
* is simply the “or” of the characterizations that hold with each of Y and N substituted for 
the *. For example, clearly there exist (Y, Y, Y, *)-OWFs if and only if either there exist 
(Y, Y, Y, Y)-OWFs or there exist (Y, Y, Y, N)-OWFs. And cases with more than one * can 
be “unwound” by repeating this. So, to characterize all 81 cases, it suffices to characterize 
the 16 cases stated in Table 1. 

Lemma 3.2 1. For each t,c,a G {Y, N, *}, there exist (*, t, c, o)-OWFs if and only if 

either there exist (Y,f,c, o)-OWFs or there exist (N, t, c, o)-OWFs. 

2. For each s,c,a G {Y, N, *}, there exist (s,*,c, a)-OWFs if and only if either there 
exist (s,Y,c,a)-OWFs or there exist (s,N,c,a)-OWFs. 

3. For each s,t,a G {Y, N, *}, there exist ( s , t. *, a)-OWFs if and only if either there exist 
(s,t,Y, a)-OWFs or there exist (s,f,N,o)-OWFs. 

4- For each s,t,c G {Y, N, *}, there exist ( s , t, c, *)-OWFs if and only if either there exist 
(s,i,c,Y)-OWFs or there exist (s,f,c,N)-OWFs. 

It is well known (see [BDG95] and Proposition 1 of [Sel92]) that P / NP if and only if 
(*,*,*, *)-OWFs exist, i.e., P ^ NP if and only if there exist one-way functions, regardless 
of whether or not they possess any of the four properties. So, in the upcoming proofs, we 
will often focus on just showing that P ^ NP implies the given type of OWF exists. 

Lemma 3.3 For each s,t,c,a G {Y, N, *}, if there are (s,f,c,a)-OWFs then P / NP. 

Next, we show that all cases involving nontotal one-way functions can be easily reduced 
to the corresponding cases involving total one-way functions. Thus, we have eliminated the 
eight “nontotal” of the remaining 16 cases, provided we can solve the eight “total” cases. 

Lemma 3.4 For each s,c,a& {Y, N}, if there exists an (s,Y,c,a)-OWF, then there exists 
an (s, N, c, a)-OWF. 

Proof. Fix any s,c,a G {Y, N}, and let a be any given (s, Y, c, a)-OWF. For each string 
w G £*, let w + denote the successor of w in the standard lexicographic ordering of £*, and 
for each string w G E + , let w~ denote the predecessor of w in the standard lexicographic 
ordering of S*. 

Define a function p : E* x E* —> E* by 

. . ( (cr(x~ ,y~)) + if x =4 e ^ y 

P(x,yp- | undefined otherwise. 

Note that p is nontotal, since it is not defined on the pair (e, e). It is a matter of routine 
to check that p is a one-way function, i.e., polynomial-time computable, honest, and nonin- 
vertible. It remains to show that p inherits all the other properties from a as well. To this 
end, we show the following claim. 
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Claim 3.5 1. a is commutative if and only if p is commutative. 

2. a is associative if and only if p is associative. 

3. a is strong if and only if p is strong. 

Proof of Claim 3.5 We check these properties separately. 

1. Commutativity: Suppose that a is commutative. Given any strings x,y € E*, if 
x = e or y = e, then both p(x, y) and p(y, x) are undefined. If x ^ e ^ y, then the 
commutativity of a implies that 

p(x,y) = (a(x~ ,y~)) + = {a(y~,x~)) + = p(y,x). 

So p(x,y) = p(y,x). By Definition 2.2, p is commutative. 

Conversely, suppose that cr is noncommutative. Since a is total, we don’t have to 
worry about holes in the domain of a. Let a and b be fixed strings in E* such that 
cr(a,b) / a(b,a). It follows that 


p(a + ,b + ) ^p(b + ,a + ). 


Thus, p is noncommutative. 

2. Associativity: Suppose that a is associative. Let x, y, and z be any strings in E*. 
If x = e or y = e or z = e, then both p(x, p(y, z)) and p(p(x,y), z) are undefined. If 
none of x, y, and z equals the empty string, then the associativity of a implies 

p{x,p{y,z )) = {a{x~,a(y~,z~))) + 

= ( a{a{x~,y~),z~)) + 

= p(p(x,y),z). 

So p(x,p(y,z)) = p(p(x,y), z). By Definition 2.2, p is associative. 

Conversely, suppose that a is nonassociative. Let a, b, and c be fixed strings in E* such 
that cr(a,cr(b,c)) a(a(a,b),c). Since a is total, each of cr(a,b), a(b,c), a(a,a(b,c)), 
and a(a(a, b), c) is defined. So 

(. p(a + ,p(b + ,c + )))~ = a(a, a(b, c)) 

+ cr(cr(a,b),c ) 

= ( P(p(a + ,b + ),c + ))~, 

which implies p(a + , p(b + , c + )) ^ p(p(a + ,b + ), c + ). Thus, 

p(a + , p(b + , c+)) + p(p(a+, b + ), c+). 


By Definition 2.2, p is nonassociative. 



3. Strongness: First, we note that a is s-honest if and only if p is s-honest. Let p be 
some polynomial witnessing the s-honesty of a as per Definition 2.3: 

(a) For each x, z £ X* with a(x,y) = z for some y £ X*, there exists some string 
y £ X* such that a(x, y) = z and \y\ < p(\x\ + |z|). 

(b) For each y,z £ X* with a(x,y) = z for some x £ X*, there exists some string 
x G X* such that a(x , y) = z and \x\ < p(\y\ + |z|). 

Since p shifts the arguments and the function value of a just by one position in the 
lexicographic ordering on X*, the polynomial q{n) = p(n) + 1 witnesses the s-honesty 
of p. The converse is proven analogously. 

Now, we show that a is strongly noninvertible if and only if p is strongly noninvertible. 
Suppose that a is invertible with respect to the first argument via some inverter <71 
in FP. That is, for each string 2 G iinage(cr) and for all x,y G X* with (. x,y ) G 
domain(u) and a(x, y) = z, we have 

cr(x,gi((x,z))) = z. 

From g\ we construct an inverter f\ G FP that inverts p with respect to the first 
argument as follows. Let z be any string in image(p), and let x,y G X* be any 
strings such that (x, y) G domain)/?) and p(x,y) = z. Given (x,z), f± computes 
(gi((x~, z~))) + . Note that p never maps to the empty string, so z / e and z - is 
well-defined. Similarly, x 7 ^ e because (. x,y ) G doiriain(p), so x~ is well-defined. 
Thus, 

P(x,fi((x,z))) = p(x, (g!((x-, z~))) + ) = z. 

Similarly, an inverter with respect to the second argument can be built for p given 
one for a. 

Conversely, given an inverter for p with respect to the first (respectively, second) argu¬ 
ment, an inverter for a with respect to the first (respectively, second) argument can be 
constructed by reverting the shifting above. Thus, if p is not strongly noninvertible, 
neither is a. 


1 Claim 3.5 

This completes the proof of Lemma 3.4. | 

Lemmas 3.2, 3.3, and 3.4 imply that it suffices to deal with only the “total” cases. 
That is, to achieve Goal 3.1, it would be enough to show that if P / NP then each 
of the following eight types of one-way functions exist: (Y, Y, Y, Y)-OWFs, (Y, Y, Y, N)- 
OWFs, (Y, Y, N, Y)-OWFs, (Y, Y, N, N)-OWFs, (N, Y, Y, Y)-OWFs, (N, Y, Y, N)-OWFs, 
(N, Y, N, Y)-OWFs, and (N, Y, N, N)-OWFs. In the following sections, we will study each 
of these cases. 
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4 Strongness and Being Oblivious to Strongness: (Y, £, c, a )- 
OWFs and (*, £, c, a)-OWFs 

In this section, we consider the “strong”-is-required cases and those cases where the property 
of strongness is a “don’t care” issue. We start with the 27 “strong” cases. Theorem 4.1 
below characterizes each of these cases by the condition P ^ NP. The proof of Theorem 4.1 
follows from the upcoming Lemmas 4.2 through 4.5, via Lemmas 3.2, 3.3, and 3.4. 

Theorem 4.1 For each t,c,a € {Y, N,*}, there exist (Y,t,c,a)-OWFs if and only ifP^ 

NP. 


Lemma 4.2 is already known from Hemaspaandra and Rothe’s work [HR99]. 

Lemma 4.2 If P / NP then there exist (Y, Y, Y, Y)-OWFs. 

The equivalence (due to [HR99], and following immediately from Lemma 4.2 in light of 
Lemma 3.3) of P ^ NP and the existence of (Y, Y, Y, Y)-OWFs will be exploited in the 
upcoming proofs of Lemmas 4.3, 4.4, and 4.5. That is, in these proofs, we start from a 
strong, total, commutative, associative one-way function. 


Lemma 4.3 If P / NP then there exist (Y, Y, Y, N)-OWFs. 


Proof. By Lemmas 3.3 and 4.2, the condition P ^ NP is equivalent to the existence of 
some (Y, Y, Y, Y)-OWF, call it a. Recall from the proof of Lemma 3.4 that, in the standard 
lexicographic ordering of Y*, w + denotes the successor of w G Y* and w~ denotes the 
predecessor of w G Y + . We use the following shorthand: For w € Y*, let w 2+ = (rc + ) + , 
and for iv G Y* with w 0 {e,0}, let w 2 ~ = Define a function p : Y* x E* —> E* by 


pOd y) 


£ 

0 


l (a(x 2 -,y 2 -)) 2 + 


if x = y = 0 
if x = y = £ 

if (x = £ A y = 0) V (x = 0 A y = e) 

if {x, y} n {e, 0} / 0 A {x, y} n (Y* - {e, 0}) / 0 

otherwise. 


It is easy to see that p is one-way, strong, total, and commutative. This fact can be seen 
to follow from the construction of p and from a having all these properties. However, p is 
not an associative function, since p(e, p(e,0)) = 0 ^ e = p(p(£,s),0). 

Thus, p is a (Y, Y, Y, N)-OWF. | 


Lemma 4.4 IfP / NP then there exist (Y, Y, N, Y)-OWFs. 
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Proof. Assuming P / NP. By Lemma 4.2, let a be a (Y, Y, Y, Y)-OWF. Define a 
function p : E* x E* —> E* by 

( y if x,y g {0,1} 

p{x,y) = < {a(x 3 -,y 3 ~)) 3+ if x fL {e,0,1} A y <£ {e,0,1}) 

[ e otherwise, 

where we use the following shorthand: Recall from the proof of Lemma 3.4 that, in the 
standard lexicographic ordering of E*, w + denotes the successor of w G E* and w~ denotes 
the predecessor of in € E + . For w G E*, let w 3+ = ((rc + ) + ) + , and for w G E* with 
w 0 {e. 0,1}, let w 3 ~ = . 

It is easy to see, given the fact that a is a (Y, Y, Y, Y)-OWF, that p is a strongly 
noninvertible, s-honest, total one-way function. However, unlike a , p is nonconunutative, 
since 

p(o, 1) = 1 / 0 = p(l, 0). 

To see that p, just like a, is associative, let three arbitrary strings be given, say a, b , and c. 
Distinguish the following cases: 

Case 1: Each of a, b, and c is a member of { 0,1}. Then, associativity follows from the 
definition of p: 


P(a, p{b , c)) = p(a, c) =c = p(b , c) = p(p{a, 6), c). 


Case 2: None of a, b, and c is a member of {s, 0,1}. Then the associativity of p follows 
immediately from the associativity of a. That is, 


p( a ,p{b , c)) 


p(a, (a(b 3 ~, c 3_ )) 3+ ) 
(cr(a 3_ , cr{b 3 ~, c 3 ~))) 3+ 
(a(a(a 3 ~, b 3 ~),c 3 ~)) 3+ 
p((a(a 3 -,b 3 ~)) 3+ ,c) 
p(p(a, b), c). 


Note here that both (cr(a 3 , 6 3 )) 3+ and (u(6 3 ,c 3 )) 3+ are strings that are not mem¬ 
bers of {e, 0,1}. 

Case 3: At least one of a, b, and c is not a member of {0,1}, and at least one of a, b, 
and c is a member of {e, 0,1}. In this case, it follows from the definition of p that 


p{a, p(b, c))=e = p(p(a, b),c). 


Thus, p is a (Y, Y, N, Y)-OWF. 


I 


Lemma 4.5 If P / NP then there are (Y, Y, N, N)-OWFs. 
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Proof. Assume P / NP. By Lemma 4.2, let a be a (Y, Y, Y, Y)-OWF. Define a function 
p : £* x £* - £* by 

e if x = y = 0 

0 if x = y = e 

e if x = e A y = 0 

0 if x = 0 A y = £ 

£ if {x,y} n {£,0} ± 0 A {x,y} n (£* - {e,0}) ± 0 

(ct(x 2 Y y 2 ~)) 2+ otherwise. 

Again, it follows from the properties of a and the construction of p that p is one-way, strong, 
and total. However, p is not commutative, since 

p(£, 0) = £ + 0 = p(0,e). 

Furthermore, p is not associative, since 

p(e,p(£,0)) = 0 / e = p{p(e,e), 0). 

Thus, p is a (Y, Y, N, N)-OWF. I 

Next, we note Corollary 4.6, which follows immediately from Theorem 4.1 via Lem¬ 
mas 3.2 and 3.3. That is, in light of Lemmas 3.2 and 3.3, Theorem 4.1 provides also a 
P ^ NP characterization of all 27 cases where one requires one-way-ness but is oblivious to 
whether or not the functions are guaranteed to be strong. 

Corollary 4.6 For each t,c,a € {Y, N, *}, there are (*, t, c, a)-OWFs if and only if P ^ 

NP. 

5 Nonstrongness: (N, t , c, a)-OWFs 

It remains to prove the 27 “nonstrong” cases. All 27 have P ^ NP as a necessary condition. 
For each of them, we also completely characterize the existence of such OWFs by P ^ NP. 

First, we consider two “total” and “nonstrong” cases in Lemmas 5.1 and 5.2 below. 
Note that Hemaspaandra, Pasanen, and Rothe [HPR06] constructed one-way functions 
that in fact are not strongly noninvertible. Unlike Lemmas 5.1 and 5.2, however, they 
did not consider associativity and commutativity. Note that, in the proofs of Lemmas 5.1 
and 5.2, we achieve “nonstrongness” while ensuring that the functions constructed are s- 
honest. That is, they are not “nonstrong” because they are not s-honest, but rather they 
are “nonstrong” because they are not strongly noninvertible. 

Lemma 5.1 If P / NP then there exist (N, Y, Y, N)-OWFs. 
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Proof. Assuming P 7 ^ NP, we define an (N, Y, Y, N)-OWF that is akin to a function con¬ 
structed in Theorem 3.4 of [HPR061 (which is currently most easily available via Theorem 3 
of [HPR01]). 

Define a function a : E* x E* —> E* by 

, , ( 1 p(x) if x = y 

°(x,y) = { n \' , \ / >. , 

y L) nim(x', y) max(x, y) if x Y y , 


where min(x, y) denotes the lexicographically smaller of x and y, max(x, y) denotes the 
lexicographically greater of x and y, and p : E* —> E* is a total one-ary one-way function, 
which exists assuming P 7 ^ NP. Note that a is polynomial-time computable, total, honest, 
and s-honest. Clearly, if a could be inverted in polynomial time then p could be too. Thus, 

a is a one-way function. However, although a is s-honest, it is not strong. To prove that 

<t is not strongly noninvertible, we show that it is invertible with respect to each of its 
arguments. Define a function fi : E* —> E* by 

y if (3x, y, z G £*) [a = (x, Oz) A z = xy A x <i ex y] 

f ( x _ y if (3x, y, z € E*) [a = (x, Oz) A z = yx A y <i ex x] 

x if (3x, ^ € S*) [a = {x, lz)\ 
e otherwise, 


where x <i ex y indicates that x is strictly smaller than y in the lexicographic ordering of E*. 
Note that /1 is in FP and that f\ inverts a with respect to the first argument. Although 
this is already enough to defy strong noninvertibility of a, we note that one can analogously 
show that a also is invertible with respect to the second argument. 

To see that a is commutative, note that if x 7 ^ y then a(x, y) = 0 min(x, y) max(x, y) = 
a(y,x). (Although the x = y case does not need to be discussed to establish commuta¬ 
tivity, for completeness we mention that if x = y then a(x,y) = 1 p(x) = o{y,x).) To see 
that a is nonassociative, note that u(cj( 1, 0), 001) = cr(001,001) = 1/3(001) / 0100001 = 
£7(1,00001) = £7(1,(7(0,001)). 

Thus, £7 is an (N, Y, Y, N)-OWF, which completes the proof. | 


Lemma 5.2 If P / NP then there exist (N, Y, N, N)-OWFs. 


Proof. 

p : E* - 
follows: 


Assume that P 7 ^ NP. So there exists a total one-argument one-way function 
E*. In Theorem 3.4 of [HPR06], a function £7 : E* x E* —> E* is constructed as 


J 1 p(x) if x = 

\ 0 xy if x 7 ^ y 


It is shown in [HPR06] that a is a total, s-honest one-way function that is not strongly 
noninvertible. 

To see that £7 is noncommutative, note that 


£7(0,1) = 001 / 010 = £7(1,0). 
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To see that o is nonassociative, note that 

cr(cr(0,1), 001) = 1/9(001) + 0001001 = cr(0, cr(l, 001)). 

Thus, o is an (N, Y, N, N)-OWF, which completes the proof. 1 

Next, we observe that the two remaining “total” and “nonstrong” cases are connected: 
Lemma 5.3 shows that, given an (N, Y, Y, Y)-OWF, one can construct an (N, Y, N, Y)-OWF. 
Thus, by Lemma 3.4, characterizing via P 7 ^ NP just the case of (N, Y, Y, Y)-OWFs will 
suffice to solve all the four remaining cases (namely, NYYY, NYNY, NNYY, and NNNY) 
at once. 

Lemma 5.3 If there exist (N, Y, Y, Y)-OWFs, then there exist (N, Y, N, Y)-OWFs. 

Proof. The proof uses the construction presented in Lemma 4.4, except that we now start 
from an (N, Y, Y, Y)-OWF <7 instead of a (Y, Y, Y, Y)-OWF as in Lemma 4.4. Constructing 
p from a according to the proof of Lemma 4.4 yields a total, noncommutative, associative 
one-way function that is not strongly noninvertible. ! 

We now turn to completely characterizing the existence of (N, Y, Y, Y)-OWFs. A trans¬ 
formation from the literature that might seem to come close to establishing “if P 7 ^ NP, 
then (N, Y, Y, Y)-OWFs exist” has been shown to be flawed unless an unlikely complexity 
class collapse occurs . 2 However, the following result of Rabi and Sherman does provide 
evidence that (N, Y, Y, Y)-OWFs indeed exist. 

Theorem 5.4 [RS97,RS93] If factoring is not in polynomial time, then there exist 
(N, Y, Y, Y) -OWF s. 

We now improve that sufficient condition to P ^ NP. 

Lemma 5.5 7/P / NP then there exist (N, Y, Y, Y)-OWFs and (N, Y, N, Y) -OWFs. 

2 In more detail: Rabi and Sherman [RS93,RS97], assuming P ^ NP, constructed a nontotal, commuta¬ 
tive, associative (in a slightly weaker model of associativity for partial functions that completely coincides 
with our model when speaking of total functions) one-way function that appears to fail to possess strong 
noninvertibility. They also proposed a construction that they claim can be used to transform every nontotal 
AOWF whose domain is in P to a total AOWF. However, their claim does not provide an (N, Y, Y, Y)-OWF, 
due to some subtle technical points. First, Rabi and Sherman’s construction—even if their claim were valid 
is not applicable to the nonstrong, nontotal, commutative AOWF they construct, since this function seems 
to not have a domain in P. Second, it it is not at all clear that their above-mentioned “construction to add 
totality” has the properties they assert for it. In particular, let UP as usual denote Valiant’s [Val76] class 
representing “unambiguous polynomial time.” Hemaspaandra and Rothe showed in [HR99] that any proof 
that the Rabi-Sherman claim about their transformation’s action is in general valid would immediately 
prove that UP = NP, which is considered unlikely. 
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Proof. By Lemma 5.3, it suffices to handle the case of (N, Y, Y, Y)-OWFs. So, assume 
P 7 ^ NP. This implies that there exists a total, one-way function / : £* —> S*. Define the 
function g : E* x £* —> E* by 


g(x,y) 


Of (a) if x = la and y = la 
e otherwise. 


g is clearly a one-way function, g also is clearly total and commutative, g is associative 
since it is not hard to see that (Va, b, c)[g(a, g(b, c)) = g(g(a,b),c) = e]. Though g is easily 
seen to be s-honest, g fails to be strongly noninvertible, and so is not strong. In particular, 
given the output and a purported first argument, here is how to find a second argument 
consistent with the first argument when one exists. If the output is e and the purported first 
argument is z, then output e as a second argument. If the output is 0 y and the purported 
first argument is lx , then if f(x) = y a good second argument is lx. In every other case, the 
output and purported first argument cannot have any second argument that is consistent 
with them, so we safely (though irrelevantly, except for achieving totality of our inverter if 
one desires that) in this case have our inverter output e. 1 


Theorem 5.6 For each t,c,a € {Y, N,*}, there exist (N,f,c,a)-OWFs if and only ifP^f 

NP. 

The proof of Theorem 5.6 follows immediately from Lemmas 5.1, 5.2, and 5.5, via 

Lemmas 3.2, 3.3, and 3.4. 

In conclusion, this paper studied the question of whether one-way functions can exist, 

where one imposes either possession, nonpossession, or being oblivious to possession of the 

properties of strongness, totality, commutativity, and associativity. We have shown that 

P NP is a necessary and sufficient condition in each of the possible 81 cases. 
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